The National Institute for Standards and Technology has removed a controversial encryption algorithm from a key security document after years of reports that it contained a backdoor for the National Security Agency.
NIST announced Thursday that its revision to Special Publication 800-90A Rev. 1 — Recommendation for Random Number Generation Using Deterministic Random Bit Generators — would permanently remove the Dual Elliptic Curve random number generator (Dual_EC_DRBG) from its list of reliable algorithms. The removal comes after what the agency calls “concerns that it might contain a weakness that attackers could exploit to predict the outcome of random number generation.”
Among those “attackers” could be the NSA. Stories related to the Edward Snowden leaks pegged the agency, which created the algorithm, as having the ability to break the encryption under its Bullrun program.
Random number generation is a keystone of encryption, especially elliptic curve encryption, which creates an extremely complex mathematical problem to protect information. With a backdoor, that protection is rendered useless.
The document also recommends introducing more randomness into a number of other key algorithms, as the refresh keeps the encryption from becoming weak.
NIST has been debating the removal of the Dual_EC_DRBG since April of last year. Last week’s announcement makes the edit permanent.